Evaluating the Cisco VPN 3000 Series Concentrator

Do you have any experience with Cisco Systems' Cisco VPN 3000 Series Concentrator? We want to upgrade our network to maximize security, and we're considering buying a Cisco concentrator to replace our current Windows NT server, which runs PPTP.

The Cisco VPN 3000 Series Concentrator is one of the better VPN concentrator families on the market. You can configure these products from the command line or through Cisco's Web interface. (I typically prefer to use the command-line option to configure network gear, but the browser-based configuration is simple.) You can base authentication on Windows 2000 Active Directory (AD), NT, another external source (e.g., Remote Authentication Dial-In User Service—RADIUS—digital certificates), or an internal user list. Supported protocols are PPTP, IP Security (IPSec), Layer 2 Tunneling Protocol (L2TP), L2TP over IPSec (L2TP/IPSec), and Network Address Translation (NAT) Transparent IPSec.

The Cisco VPN 3000 Series Concentrator supports several clients, including the Cisco VPN Client, the Microsoft Win2K L2TP/IPSec Client, and Microsoft PPTP for Win2K, NT 4.0, and Windows 9x. I use the software Cisco VPN Client, which is simple to configure and lets me create and send profiles (as files) to users for simple remote configuration. Performance seems marginally better than what you get over PPTP; if you go for maximum security, performance can be a little slower than PPTP (depending on the authentication method you use).

A huge price gap exists between the low-end Cisco VPN 3005 Concentrator, which costs a few thousand dollars, and the next step up, the Cisco VPN 3015 Concentrator, which costs more than $10,000. The less expensive product supports as many as 100 simultaneous users but isn't upgradable. You can use Cisco's Scalable Encryption Processing (SEP) modules, which offload encryption from software to hardware, to upgrade the more expensive concentrator. For most companies with 200 to 300 employees, the Cisco VPN 3005 Concentrator is usually sufficient, but you need the Cisco VPN 3015 Concentrator if you want a redundant power supply.